Hook up X25519MKLEM768 to the TLS 1.3 handshake

This does the following:

1) Adds a second key share prediction to the TLS 1.3 handshake.
   We only add one as we are unlikely to want to send more than
   one PQ one, and one classical one and are unlikely to waste
   bytes on a second PQ algorithm (anything that wants something
   else that we support can HRR to get it)

2) Adds X25519MLKEM768 (4588) to our list of supported groups.
   We add this to our preferred client and server key shares for TLS 1.3
   and we now have a separate list for TLS 1.2 which does not do this,
   cleaning up the old "full list" from the comments.

3) Updates the golden magic numbers in the regression tests to allow
   for the above two things changing the handshake, so the regress
   tests pass.

With this you can successfully hybrid PQ with servers and clients
that support it.

ok tb@ kenjiro@

1 files changed, 13 insertions, 1 deletions

diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index b0a285694d..21d3960796 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.105 2025/12/04 21:03:42 beck Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.106 2025/12/04 21:16:17 beck Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -56,6 +56,18 @@ tls13_client_init(struct tls13_ctx *ctx)
         if (!tls_key_share_client_generate(ctx->hs->key_share))
                 return 0;
 
+        /*
+         * Generate a second key share prediction if we have another
+         * supported group
+         */
+        if (groups_len > 1) {
+                if ((ctx->hs->tls13.key_share = tls_key_share_new(groups[1])) ==
+                    NULL)
+                        return 0;
+                if (!tls_key_share_client_generate(ctx->hs->tls13.key_share))
+                        return 0;
+        }
+
         arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE);
 
         /*